Manage or delete authentication tokens

Before you can manage or delete authentication tokens, you must have enabled token authentication and created at least one token. If you have not enabled token authentication, see Enable token authorization for instructions.

You can manage authentication tokens that you have created in Splunk Web or by using Representational State Transfer (REST) calls. You can view the following information on each token:

Token ID

Token issuer (Issued by, comprised of the Splunk platform user who created the token and the hostname on which the token was created)

Token owner (Username or subject) and audience

Token validity ranges including Not before and expiration times

The Identity Provider (the authentication scheme that was in use when the administrator created the token)

When the token was last used

The IP address that last used the token

Owing to security reasons, you cannot do any of the following with tokens:

Reassign token ownership. A token is assigned to a single user and audience at all times.

If you need to change any of these properties of a token, then you must create a new token with the updated settings, share the token with the user, and, optionally, disable or delete the old tokens.

Considerations for managing authentication tokens on instances that use LDAP for authentication

There are some caveats for using and managing authentication tokens on Splunk platform instances that use LDAP to authenticate.

The LDAP cache controls how long Splunk platform instances that use LDAP retain information from LDAP queries. By default, the LDAP cache never expires, but you can control when it expires by editing a setting in the limits.conf configuration file. See Configure LDAP with configuration files for instructions.

When you delete a user from an LDAP provider, delete any tokens that are associated with the deleted user as well. Tokens can remain valid until the user entry in the LDAP cache expires.

While tokens that are associated with a deleted user no longer work for authentication, if you create a new user with the same username, the LDAP provider can re-associate those tokens with the new user, potentially causing unauthorized access.

Manage authentication tokens in Splunk Web

Enable or disable existing tokens. See "Enable or disable authentication tokens" later in this topic.

Delete existing tokens. See "Delete authentication tokens" later in this topic.

While you can view token IDs, there is no way to view a token in its entirety. Token users require the full token before they can use it. You cannot give the token ID to a user to use as a token if they have forgotten or misplaced the token. You must either provide the entire token, if it is available to you, or create a new one.

View token information

The Tokens page lists information on the tokens that you have created. Each token is represented by its token ID.

It is not possible to view a full token on this page. You can only view a full token immediately after you create it in the "New Token" dialog box, and before you close that dialog box.

From the system bar, click Settings > Tokens. The Tokens page appears.

(Optional) Use the Search text box to locate a token by one of the following fields:

ID

Owner

Issuer

Audience

Status: "Enabled" or "Disabled"

Identity provider

(Optional) Hover the mouse over a token ID to see a tooltip that shows the entire token ID.

(Optional) Select the > button to expand a token entry and show detailed information about a token:

Token ID

Token issuer and issuing workstation

"Not before" validity time

The Splunk authentication scheme that this token uses

The last IP address that used the token successfully

The instance updates the last seen IP address and time whenever you use a token. There is a period of up to two minutes after use, where usage information is cached, and Splunk Web does not show multiple uses during that period.

Enable or disable existing tokens

When you disable a token, users who use the token lose access immediately. You must enable the token again for users to regain access while it is valid.

Tokens that have not reached their "Not Before" validity time remain unusable until that time has passed, regardless of the changes that you make with this procedure.

From the system bar, click Settings > Tokens. The tokens page appears.

(Optional) Use the Search text box to locate a token. The page updates to show only tokens that match the text you entered.

Locate the token whose status you want to change.

In the Actions column for the token, if a token is enabled, click the Disable link to disable the token.

In the Disable Token dialog box that appears, click Disable.

Otherwise, if a token is disabled, click the Enable link to enable the token.

In the Enable Token dialog box that appears, click Enable.

Repeat these actions for additional tokens whose status you want to change. You can use the Search text box to update the list of tokens.

Delete an existing token

When you delete a token, users who use the token lose access when the cache for the token expires, up to two minutes after token revocation. You must reissue a new token or standard credentials to grant access to the user that had the previous token.

From the system bar, click Settings > Tokens. The tokens page appears.

(Optional) Use the Search text box to locate a token. The page updates to show only tokens that match the text you entered.

Locate the token that you want to delete.

In the Actions column for the token, click the Delete link to disable the token.

In the Delete Token dialog box that appears, click Delete.

Repeat these actions for additional tokens that you want to delete. You can use the Search text box to update the list of tokens.

Manage authentication tokens using REST

You can use either a REST client or the cURL command-line utility to generate REST requests to your Splunk Enterprise instance. All of the following command examples use cURL. In addition to using standard credentials to manage tokens, you can also use a valid token to perform these requests.

Open a shell prompt.

From the prompt, run the appropriate curl command, based on how you want to authenticate.

To authenticate with standard credentials, provide them as part of the command: curl -k -u <username>:<password> ...

To authenticate with a token, provide the token in an authorization header: curl -k -H "Authorization: Bearer <valid_token> ..."

Review the output to confirm that the command completed successfully.

(Optional) Perform additional requests, depending on the endpoints you are using and the tasks you want to complete.

View information on a single existing token

Disable an existing, enabled token

If you disable the token that you are actively using, there is no warning or ability to cancel or undo the change. You must then either log in with standard credentials to re-enable it, or use another token if it is available.

Enable an existing, disabled token

Delete an existing token

If you delete the token that you are actively using, there is no warning or ability to cancel or undo the change. You must then either log in with standard credentials to create a new one, or use another token if it is available.

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »